Bug#894386: libinstpatch: memory corruption in file IpatchSF2Reader.c

[Joël Krähemann]

Source: libinstpatch
Severity: normal

Dear Maintainer,

The file IpatchSF2Reader.c has seen in the upstream code base some fixes
of potential memory corruption. This can lead to undefined behaviour.

I provide a patch with the specific changes, fixing the issue.

-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/24 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
--- libinstpatch-1.0.0/libinstpatch/IpatchSF2Reader.c	2010-10-25 12:46:26.000000000 -0400
+++ libinstpatch-1.0.0.orig/libinstpatch/IpatchSF2Reader.c	2018-03-29 11:57:52.433939326 -0400
@@ -647,13 +647,13 @@
   if (!ipatch_file_read (riff->handle, bag_table, chunk->size, err))
     return (FALSE);	   /* bag_table will be freed by finalize() */
 
-  pgenndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[0]);
-  pmodndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[1]);
+  pgenndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[0]);
+  pmodndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[1]);
 
   for (i=0; i < reader->pbag_count; i++)
     {
-      genndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[(i+1)*2]);
-      modndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[(i+1)*2+1]);
+      genndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[(i+1)*2]);
+      modndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[(i+1)*2+1]);
 
       if (genndx < pgenndx)
 	{
@@ -973,13 +973,13 @@
   if (!ipatch_file_read (riff->handle, bag_table, chunk->size, err))
     return (FALSE);	   /* bag_table will be freed by finalize() */
 
-  pgenndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[0]);
-  pmodndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[1]);
+  pgenndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[0]);
+  pmodndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[1]);
 
   for (i=0; i < reader->ibag_count; i++)
     {
-      genndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[(i+1)*2]);
-      modndx = IPATCH_FILE_SWAP16 (riff->handle, &bag_table[(i+1)*2+1]);
+      genndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[(i+1)*2]);
+      modndx = IPATCH_FILE_SWAP16 (riff->handle->file, &bag_table[(i+1)*2+1]);
 
       if (genndx < pgenndx)
 	{